Why don't I agree with Bruce Schneier all the time :)

Why don't I agree with Bruce Schneier all the time :)

When describing Bruce Schneier's blog, I said "I don't agree with a lot of what he says". Apparently this is heresy in some parts, although I don't understand why. Bruce is unquestionably a very, very smart man (and an excellent writer, I simply loved Applied Cryptography), but he's no Chuck Norris :)

On most topics - security architecture, crypto design, threat analysis, etc, Bruce is remarkable. I find most of what he writes to be insightful.

But Bruce seems to have a complete blind eye when it comes to Microsoft. To my knowledge, even though essentially every other serious security analyst has acknowledged that Microsoft has done a staggering amount of work to improve the security of its products, Bruce still maintains that Microsoft has no clue when it comes to security. That stings.

The #2 hit in a search for Bruce Schneier Microsoft is: http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1011474,00.html which includes: " Microsoft is certainly taking it more seriously than three years ago, when they ignored it completely. But they're still not taking security seriously enough for me. They've made some superficial changes in the way they approach security, but they still treat it more like a PR problem than a technical problem". This couldn't be farther from the truth (the #1 hit is Schneier's FAQ about the PPTP analysis he did where he neglected to acknowledge the work that Microsoft did to rectify the issues he found after his analysis).

And then there was this gem (from February of this year): http://www.schneier.com/blog/archives/2007/02/drm_in_windows.html. He took Peter Gutmann's article and accepted it as the gospel truth, even though Gutmann had absolutely no factual basis for his speculation - Gutmann hadn't verified a single one of his claims, heck he hadn't even installed Vista at the time he wrote his paper.

On the basis of one paper from someone who had never even RUN Vista, Schneier leapt to the conclusion that Microsoft had embedded DRM into all levels of the operating system and that was a reason to avoid Vista.

For the following 5 paragraphs, please note: I AM NOT A LAWYER. I AM NOT GIVING A LEGAL OPINION, THESE ARE JUST MY THOUGHTS.

I also believe that he hasn't fully thought out his position on holding companies financially liable for the security holes in his product. At first blush his idea is attractive, but I firmly believe that the consequences of his idea would totally destroy the Internet as we know it today.

It's also entirely possible that it would kill the open source movement (talk about unintended consequences). Let's say that there's a security vulnerability found. If the vulnerability is found in a closed source product (or in proprietary code), then the corporation would be the only one that could be held liable for the damages - the individual developer would be protected by the corporate liability shield.

But for open source projects, often there is no such corporate liability shield (I could imagine scenarios where a corporate liability shield might apply, but I don't think they apply in general). So who pays up if a vulnerability is found in an open source project? The only likely target is the individual developer (or developers) who introduced the defect (I suspect that those involved in the distribution that contained the vulnerable code would also be targeted).

This means that it's highly likely that the individual contributors to open source projects would be held personally financially liable for security vulnerabilities they introduce. So to contribute to open source projects, you'd have to have many millions of dollars of personal liability insurance (or run the risk of financial ruin if a mistake is found in your code). That is highly likely to result in a stifling of the open source movement, and there's no easy way to work around it.

It's also likely to decrease the likelihood that a corporation would adopt an OSS solution. Consider the situation where a bank (or major retailer) is worried about having its customer records hacked. Since the bank/retailer is going to be held responsible for its security breaches, then the bank/retailer has to factor that risk when it chooses a vendor for its database solution. If the bank/retailer thinks it can sue the software developer who developed the database solution in the event of a breach, and it has two choices for a database vendor, one of them developed by a bunch of people who don't have any real assets and the other comes from a company with insurance and assets, it would be crazy to choose the one where you have no one to sue.

Those are a couple of reasons why I disagree with Bruce Schneier on occasion.

Just one question: If DRM would really be passive, then why is the DRM code inseparably integrated into the kernel, is called from time to time and heavily interacts with other system components? And in fact every DRM-crippled file can trigger arbitrary actions with SYSTEM rights. Mr. Gutmann has been overstating some details, but his conclusions are pretty much correct, since they represent what the implementation looks like and can supposedly do.

anonymous: Why do you believe that DRM code is "inseparably integrated into the kernel, is called from time to time and heavily interacts with other system components"?

The kernel part of DRM is implemented in a couple of drivers (ci.sys, drmk.sys), it's not "inseparably integrated".

Could you please give me your reference to the assertion: "every DRM-crippled file can trigger arbitrary actions with SYSTEM rights"? That's a huge security hole in Windows and we absolutely take stuff like that VERY seriously.

Have you actually analyzed the implementation or are you simply repeating what you read on /.? Or are you thinking about things like the Sony "rootkit" DRM system? One of the reasons that Microsoft implemented DRM in Windows was to provide a reliable DRM solution that provided a robust alternative to 3rd party solutions that weren't always as high quality as the built-in solution.

anonymous

26 Jun 2007 2:55 PM

It is not just in the drivers anymore, it is part of the kernel now as well. And is inseparable, since it's part of the kernel and you can't replace the drivers with dummy stubs anymore.

How DRM-crippled files can do whatever they want? Well, just consider what functionalities are offered via the DRM license scheme. Shutting of various subsystems, deleting arbitrary files, loading arbitrary modules. Sure this is a security issue, but it's not that Microsoft would have ever taken that seriously since the release of Windows Vista.

Beside that, what's about the localization feature? You can still put a desktop.ini anywhere with the content:

[LocalizedFilenames]

malware.exe=foobar.jpg

and fool around the user with spoofed filenames.

What about MSIE? It's still there and integrated into the shell!

For your convience: Yes, I have analyzed the implementation thoroughly.

And please, cue your DRM jokes. DRM was put there to enforce restrictions against the user without his consent (and without legal liability, even though this has to be decided yet).

The wierd thing is that the DRM people at Microsoft seem to believe that every one of your assertions regarding DRM is false (I just asked them, because some of your assertions involve significant security vulnerabilities). I'm having a real hard time accepting that you've actually done the research, especially since you're hiding behind an anonymous ID and aren't willing to quote where your information source is.

IE's not integrated into anything - sure you can use the shell to launch IE if you specify a URL in the address bar. You can do the same thing with FF if you specify it as the default web browser (I just tried this). You're right that Windows comes with an HTML rendering engine and that you can't replace that HTML rendering engine (you can however install your own rendering engine and use it by default). That's because the developer community that writes applications on top of our platforms has requested that Windows have an HTML rendering engine built-into the operating system.

I can't speak to the localizedfilename feature, I'm not a shell developer.

anonymous

27 Jun 2007 8:35 PM

Strange enough the official documentation about DRM even states some of the internas of DRM, f.e. how Protected Media Path, when being requested, forces the shutdown of any non-compliant sound driver.

Then again, of course MSIE is deeply integrated within the Explorer shell. What do you think where the single-click link stuff, the thumbnails etc. come from? Why it's called ShellDocView control? Or what the desktop.htt does? Hell, it even extracts HTML from image metadata. Just one little bug in IE, and just viewing a set of files in Explorer can trigger arbitrary code, and of course MSIE is full of years-old unpatched vulnerabilities.

Methinks "anonymous" (if that *is* his real name) is just making stuff up as he goes along.

That desktop.ini thing is pretty stupid to begin with. I mean, if you can already read/write the desktop.ini file it means you're already executing code, right? So what does adding that stuff to desktop.ini give you in addition?

Norman Diamond

27 Jun 2007 11:27 PM

> IE's not integrated into anything

In Vista, I believe about 99% of that. Two examples of why I believe that much:

(2) The boot logo doesn't boast that monopoly power got every browser other than Internet Explorer booted out of OEM distributions.

One example of why I don't believe more than 99%:

My Quickstart toolbar still gets to contain shortcuts that I want it to contain.

> I can't speak to the localizedfilename feature

But you could test it easily. I think[*] you can just edit that file with Notepad. I think the only possible effect is, as Anonymous said, to spoof the user. We've seen that repetitions of spoofs like loveletterforyou.txt.vbs still aren't security issues and still don't need any reconsideration of default settings in Vista and even in server OSes, so don't waste time experimenting unless you want to experiment.

[* I've viewed it in Notepad but haven't experimented with changing it.]

And this code isn't new - drmk.sys existed on XP and it did exactly the same thing in XP as it does in Vista - it scanned the system looking for unsigned drivers and reported their presence to the application rendering audio which was allowed to make a policy decision based on the presence of unsigned drivers in the rendering path.

Nothing has changed in that area for Vista (there were other parts of the DRM system that did change for Vista, the introduction of protected processes, for example, but that part didn't change).

The S/PDIF cutout was also in XP (including the USB exception which is still in Vista (USB S/PDIF devices don't have to disable their S/PDIF output when protected content is rendered - go figure that one out).

> So the desktop.ini file COULD be used as a stepping stone to gaining system access.

Possibly, I suppose. But like I said, if you can already read/write a desktop.ini file, you don't need to disguise an exe as a jpg or whatever. Unless you've *already* compromised the system and are just leaving your "picture" as a surprise :-)

A possible fix would be to simply not allow you to change the extension of a file using desktop.ini.

> My Quickstart toolbar still gets to contain shortcuts that I want it to contain.

If you mean "shortcuts to internet locations" then that has nothing to do with Internet Explorer. You could just as easily have those shortcuts launch in Firefox using the "set program and access defaults" thingy... if you mean something else, please elaborate.

I mean shortcuts to programs that I want to invoke. Theoretically it could mean shortcuts to internet locations, though I never thought of using up valuable real estate in the task bar for such a purpose.

Did you notice the folder names that you traverse in order to get to those shortcuts? Do you think I'm going to waste time experimenting to see if they'll still work after renaming one of the folders to "Netscape Navigator"? Do you think maybe someone other than a monopoly set that folder name because that would be the real way to get Netscape kicked out of preinstalls when OEMs wouldn't cave in to financial bullying?

Anyway, I do find the Quickstart toolbar convenient, I do use it, and hold my nose while traversing directories to get there.

"Did you notice the folder names that you traverse in order to get to those shortcuts? Do you think I'm going to waste time experimenting to see if they'll still work after renaming one of the folders to "Netscape Navigator"? Do you think maybe someone other than a monopoly set that folder name because that would be the real way to get Netscape kicked out of preinstalls when OEMs wouldn't cave in to financial bullying?"

I *think* QuickLaunch was originally added by the IE4 upgrades to the shell, someone please feel free to correct me if that's wrong :) But, if that's the case, then the reason that the path contains "Internet Explorer" is one near and dear to Microsofts heart, back-compat...

anonymous (again)

28 Jun 2007 7:07 PM

For writing a desktop.ini, you don't need to run any program. Just pack it up in a ZIP file together with the malware and let the user extract it. Voilà, the malware and the desktop.ini end up in the same folder.

Even further, you can name the folder as Foldername.{GUID} whereas the GUID is a reserved one of the shell namespace, f.e. the MyDocs GUID. In this case, independent of your settings, Windows Vista will definitely load the desktop.ini and act accordingly.

Or what if the user downloads multiple files with a download manager? He won't even see a redirect to the different filename "desktop.ini" instead of "some_cool_stuff.zip". He also downloads the malware, and then, since they end up in the same folder, the trick works again.

As for PMP: According to my analysis, the application is also providing a policy (TagDRMRights struct) which then enforces how drmk.sys forwards data and signals the required commands to DRMed driver, or the shutdown of non-acceptable drivers to the ks.sys subsystem.

At any rate, on Windows XP you can safely replace drmk.sys with a dummy module and remove the rest of the DRM subsystem. Now, how does this work on Windows Vista? I'd say not at all.